Friday, February 27, 2009

How to add the second domain controller in Active Directory (Windows 2008 R2) part 1

After the “How to create the first domain controller in Active Directory (Windows 2008)”, it’s time to consider an additional domain controller to your domain.

Why should you to consider that?

- Redundancy: Having more than one DC for a given domain provides better redundancy for users, computers and apps. Apart to active directory redundancy, you may also have additional roles in those DCs that you want to keep available in case of a DC failure or DC overload. The roles that are most commonly used in DCs are DNS server role and the Global Catalog.

- Workload distribution: Depending of the size of your network, load balancing the users, apps, computers, etc… across multiple DCs prevents the overload of of a single DC.

- Domain hierarchy: The first domain that is created is the Root Domain of the forest. If you lose that domain you lose the entire forest. In a scenario where you have multiple domains within a forest, if you have only one DC for that top Root Domain and you lose that DC forever, you may say goodbye to your entire forest. In sub domains (child domains), if you lose the only DC that you have, you’ll lose that domain plus the child domains of that child domain. Hum… that’s not good… As you already guessed domain hierarchy is very important in Active Directory.

- Recovery/Availability: Consider the following scenario. Your DC suffers a hardware failure, and to recover from that hardware failure you’ll have to wait some time. If you have only one DC, you may have a problem, the apps that use that DC will no longer work until that DC is back online again, the users that use that app will also stop working and your company will lose money because of that down time. Anyway, you recover that DC from hardware failure, but then you discover that the DC cannot start (BSoD-More down time), no problem (you think), you start the Backup Recovery process, but you discover that the backup isn’t enough to recover that DC. Now you’ve a big problem, everyone stopped working and the company isn’t making money because that. Everyone will have to wait until you replace the domain controller with a new one. With a second DC, your down time would be zero, and the dead DC could be replaced easily without affecting users or apps that depend on it.

And if I lose both DCs?
It’s true, you can lose both DCs and you’ll be “dead” anyway, but that is another story with a different planning to a different blog post. The point that I’m trying to make clear is with 2 DCs per domain “at the minimum” you will get a good chance to recover from down times (with good percentage of success) plus better redundancy and distributed workload.

I could give you a lot more reasons to have additional DCs, but keep those in mind and hopefully they should be enough to make you think twice before consider only one DC for your Domain.

Ok, back to the beginning, how to create the second domain controller in Active Directory. Actually is pretty simple, we just need to have healthy domain (run dcdiag tools to check if everything is ok), and if everything is working correctly you are ready to add the 2nd DC to your domain.
In this demonstration I’ll use the Beta release of windows 2008 R2. Instead of using the GUI, I’ll use an answer file to install the DC.

Okay, let’s prepare the additional domain controller and build the answer file that we’ll use with dcpromo.exe to promote the server to an additional domain controller in an existing forest.

Before start:
· Plan carefully your FQDN of the domain controller, make sure that follow the rules of your internal company documentation. Although it’s possible to rename DCs that are running Windows 2003 and latter, I would rather do it correctly at first time preventing latter changes. Check the Naming conventions at Microsoft KB909264.

· Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB 272294 and 191611 for more information.

· Make sure that the Administrator account has a strong password. If possible, avoid using the Administrator account and use a dedicated account to perform your everyday work in AD. Think in Administrator account as the SOS account, and try to use it only when no other account solves your problem.

· You must have at least one drive formatted with NTFS.

· Install the latest updates from Microsoft website.

· Check your event log for errors and correct them before proceed.

· Plan and test the Backup strategy for your Active directory Forest. After that take a full backup of the existing DC in case that you need to rollback.

· At last check the date and time settings, make sure that are correct, and make sure that the existing DC is in sync with a trusted and valid authoritative time server. By Default the DC that holds the PDCe will be (by default) the authoritative time server for your forest and additional DCs will sync their time with this DC.

Note: Attention to the preferred DNS configuration in DC2, it must point to the existing DC1 that already has AD in it. Because I want to provide redundancy using both servers, I will install AD and DNS server roles in DC2, but first I need to use an existent DC to add DC2 as additional domain controller to the domain, and for that to happen I need to use a valid existent DNS server that “knows” where my AD is.

Now it’s time to prepare the answer file. Let's see in part 2 of this article:
How to add the second domain controller in Active Directory (Windows 2008 R2) part 2.

1 comment: